DE102012208842A1 - Access control method, information processing device and access control program - Google Patents

Abstract

In an access monitoring method carried out by a computer, the following is provided: information about a first connection is stored when a request for access via the first connection is recognized, and authentication information is transmitted via the first connection; and when an e-mail containing information about a second connection is received and a request for access via this second connection is recognized, a determination is made as to whether the information about the second connection in a predetermined range is identical to the recorded information about the first connection are. If the determination is positive, access via this connection is prohibited if the information about the connection in the predetermined area is identical to the recorded information about the first connection, and the recorded information about the first connection is transmitted to a server which Gathers information about connections.

Description

Technical area

The presently discussed embodiments of the invention relate to an access control method, an information processing apparatus and an access control program.

Background of the invention

According to a known method that enables recognition of an illegal user in a system that provides services to users via a network, authentication information such as a user ID and a password is received from each user, and the user is authenticated on the computer Basis of the authentication information.

In a connection management system representing another similar purpose known method, when authentication information of a user is received from an access request source, the user is informed of the occurrence of an access request by an e-mail or the like, and access control starts Receiving an answer from the user. (See for example the Japanese Laid-Open Publication No. 2002-91917 .)

In a known management server, when an end user's access right for an access request is acknowledged by the end user, a Uniform Resource Locator (URL) is generated for obtaining a content, the end user is informed of the URL, and the content becomes available to the end user if the end user accesses the URL within a predetermined time period. (See for example the Japanese Laid-Open Publication No. 2002-288134 .) In a known mail server, personal authentication is performed when an e-mail is sent to the mail server. If the authentication succeeds, a registered e-mail address of the authenticated user is compared with an e-mail address obtained from the header of the e-mail, and the e-mail is transmitted from the e-mail server to a destination if the e-mail addresses are identical. (See for example the Japanese Laid-Open Publication No. 2004-64215 .)

In addition, the criminal act of "phishing" continues to increase. In phishing, the authentication information and the like of a user are illegally collected by providing a true service provider. For example, information is collected by informing a user via e-mail or the like of a URL of a website called "Phishing Website" (which is a fake genuine website) and prompting the user to phish Website to enter its authentication information.

For example, the phishing sites are recognized by the antivirus vendors. The antivirus vendors update antivirus software to prevent access to the detected phishing sites. However, the techniques used by the virus software vendors to recognize phishing websites can not be used in user terminals and the like.

Overview of the invention

It is the object of the present invention to provide an information processing apparatus, an access control method and an access control program which make it possible to judge whether authentication information is transmitted from an illegal destination.

In view of the foregoing and in accordance with one embodiment of the invention, the invention provides a computer program executed by a computer connected to a server which transmits an e-mail which transmits first connection information to an address associated with authentication information when the server receiving the authentication information, and allowing the delivery of a service by a device which is a source of authentication information when the server obtains access to a destination indicated by the first connection information, the computer being able to perform processing to perform on the Based on screen data received in response to accessing a destination indicated by second connection information, causing the display of an input screen on a display device, and the authentication information to ei ne device, which is the source of the screen data, when the authentication information has been entered into an input area within the input screen. The computer program causes the computer to execute a procedure comprising the steps of: recording the second connection information in storage devices when the computer detects an operation of the computer for the purpose of requesting access to a destination indicated by the second connection information; and determining if the first connection information is in one predetermined part are identical with the second connection information stored in the storage means when the computer receives the e-mail containing the first connection information and detects an action of the computer for the purpose of requesting access to a destination indicated by the first connection information.

Brief description of the drawings

1 shows an example of the structure of a computer network system according to a first embodiment;

2 shows an example of the structure of a computer network system according to a second embodiment;

3 shows an example of the hardware configuration of a personal computer (PC) in the second embodiment;

4 Fig. 10 shows an example of a display of a real site login page in the second embodiment;

5 shows an example of an indication of a confirmation e-mail in the second embodiment;

6 shows an example of a display of a member website in the second embodiment;

7 shows an example of an indication of a URL notification e-mail received from an illegal server in the second embodiment;

8th Fig. 13 shows an example of a display of a fake website login page in the second embodiment;

9 shows examples of processing functions of an electronic commerce (EC) server and an illegal server in the second embodiment;

10 shows an example of information stored in a customer DB (database) in the second embodiment;

11 shows examples of processing functions of a PC as a customer terminal and a virus protection update server in the second embodiment;

12 shows an example of information stored in a virus definition file in the second embodiment;

13 shows an example of information stored as log information in the second embodiment;

14 in connection with the second embodiment, shows a first part of a processing sequence that is performed when a PC accesses an EC website via a phishing web site;

15 in connection with the second embodiment, shows a second part of a processing sequence that is performed when the PC accesses the EC Web site via a phishing web site;

16 shows a processing flow which the PC performs according to a monitoring program in the second embodiment;

17 shows examples of processing functions of a PC according to a third embodiment; and

18 FIG. 15 shows a processing flow which the PC performs in accordance with a monitoring program related to the third embodiment.

Description of exemplary embodiments

Embodiments will now be described with reference to the accompanying drawings, in which like reference characters designate like elements throughout.

1. First embodiment

1 shows an example of the structure of a computer network system according to the first embodiment. In the case of in 1 The computer network system illustrated may be an information processing apparatus 10 over a network 30 on a server 20 access. The information processing device 10 For example, in response to an action for the purpose of requesting access to a destination, accesses the destination, the destination being indicated by connection information. For example, the connection information is the URL. If the destination to be accessed is the server 20 acts engages the information processing device 10 according to the connection information on the server 20 to.

The server 20 provides the user with the information processing device 10 uses a predetermined service, such as an electronic commerce service, over the network 30 ready. The server 20 can on a user DB (database) 21 Reference in which authentication information for use in the authentication of each user and an e-mail address of each user are stored.

The information processing device 10 has an access processing unit 11 and an e-mail receiving unit 12 on, the functions for receiving a service from the server 20 to process. Each of the access processing unit 11 and the e-mail receiving unit 12 performed operations can be realized when one in the information processing device 10 provided CPU (Central Processing Unit) executes a predetermined program. The following is a processing sequence explaining which the server 20 performs before service through the information processing device 10 is made available.

First, the server performs 20 a processing for the first authentication on the basis of authentication information 41 that of the information processing device 10 be transmitted. In the authentication information 41 it is information that it is the server 20 allow to determine if the user is a legitimate user authorized to receive the service. The authentication information 41 have, for example, user identification information, a user password, and the like. The server 20 receives the authentication information 41 for example, by the following procedure.

In step S11, the access processing unit accesses 11 in the information processing apparatus 10 in response to an action of the information processing device made by the user 10 , which serves the purpose of the access request, to the destination indicated by the connection information "connection A". For example, the access processing unit accesses 11 to the destination indicated by the connection information "connection A" in response to an action which serves to select the connection information "connection A" included in one of the e-mail receiving unit 12 received e-mail is included. In this example, the destination indicated by the connection information "Connection A" is the server 20 , If the server 20 the server receives the access request 20 Screen data indicating the display of an input screen for receiving the input of the authentication information 41 serve to the information processing device 10 which is the source of access.

In step S12, the information processing device operates 10 displaying the input screen by a display device and receiving an action for inputting the authentication information 41 in an input area, which is used for entering the authentication information 41 is provided in the input screen. Subsequently, the access processing unit transmits 11 the authentication information entered in the input screen 41 in response to an action of the information processing device performed by the user on the access request 10 to the server 20 (which is the source of the screen data).

In step S13, the server runs 20 processing for the first authentication by passing the received authentication information 41 with in the user DB 21 compares stored information. If the first authentication is successful, the server starts 20 the processing for the second authentication. The server receives the second authentication 20 from the user DB 21 an e-mail address of the received authentication information 41 associated user. Subsequently, the server transfers 20 an email 42 containing the connection information "connection B" to the user DB 21 received e-mail address. Although the destination specified by the connection information "Connection B" is the server 20 is, the server can 20 generate the connection information "connection B" such that a part of a string forming the connection information "connection B" is a random character string.

In step S14, the e-mail receiving unit receives 12 the information processing device 10 the from the server 20 sent and the connection information "connection B" containing e-mail 42 and access the server in response to an action for the purpose of requesting access to the destination indicated by the connection information "connection B" 20 to (which is the destination indicated by the connection information "connection B"). The action for the purpose of requesting access to the destination indicated by the connection information "Connection B" is, for example, one from the user of the information processing apparatus 10 Action taken to select the connection information "Connection B" in which the e-mail 42 display screen.

If the server 20 the access from the information processing device 10 receives the server 20 determines that the second authentication was successful, and the server 20 enables provision of the service by the information processing device 10 , For example, the server starts 20 providing the service by, for example, allowing the browsing of a member's website and receiving various requests such as goods orders.

According to the operation sequence including the aforementioned steps S111 to S14, the server performs 20 the authentication processing twice, ie it performs the processing for the first and the second authentication. It is therefore possible to prevent providing a service to a wrong user who is not authorized to receive this service.

Furthermore, the configuration is 1 an illegal server 50 with the network 30 connected. The illegal server 50 receives from the information processing device 10 illegal the authentication information 41 a user according to the following procedure.

In step S21, the illegal server transmits 50 to the e-mail address of the user of the information processing device 10 an e-mail that is a fake e-mail from a genuine service provider (hereafter referred to as an illegal e-mail). The illegal e-mail contains the connection information "Connection A1" for connection to an input screen for inputting the authentication information 41 , Then the e-mail receiving unit receives 12 in the information processing apparatus 10 the illegal e-mail and the access processing unit 11 accesses the illegal server in response to an action for the purpose of requesting access to the destination indicated by the connection information "connection A1" 50 too, being the illegal server 50 is the destination indicated by the connection information "Connection A1".

Alternatively, the illegal e-mail may be from a device other than the illegal server 50 be transmitted. In addition, the information processing apparatus can 10 the connection information "Connection A1" is communicated by means other than an e-mail.

For example, the information processing device 10 the display device cause to display a screen which displays the connection information "connection A1" on the basis of display data supplied from a predetermined server and the access processing unit 11 accesses the destination indicated by the connection information "Connection A1" in response to an action for selecting the connection information "Connection A1" on the displayed screen.

In step S22, the illegal server transmits 50 in response to the access by the information processing device 10 the screen data for displaying a display screen for recording the input of the authentication information 41 to the information processing device 10 which is the source of access. Subsequently, the information processing apparatus receives 10 the screen data and causes the display device to display an input screen based on the received screen data. The one on the illegal server 50 transmitted screen data based input screen has a structure similar to that of the input screen, which is based on the screen data received from the server 20 in response to the access being transmitted by the connection information "connection A". Therefore, the information processing apparatus receives 10 an action for entering the authentication information 31 into an input area of the input screen. Subsequently, the access processing unit transmits 11 in response to an action of the user for the purpose of requesting the access, the authentication information input to the input screen 41 to the illegal server 50 from which the screen data is transmitted for the aforementioned displayed input screen. In this way, the illegal server arrives 50 illegal to the authentication information 41 ,

Furthermore, the illegal server attacks 50 on the server 20 to by getting the obtained authentication information 41 in steps similar to the above-described steps S11 and S12. That is, the illegal server 50 In step S23, accesses the destination indicated by the connection information "connection A" and transmits the illegally acquired authentication information in step S24 41 over the server 20 displayed input screen to the server 20 ,

If the server 20 the authentication information 41 from the illegal server 50 receives, sends the server 20 an email 42 to the user of the information processing device 10 in a similar manner as in step S13, wherein the connection information is "connection B" in the e-mail 42 is specified. In the information processing apparatus 10 receives the e-mail receiving unit 12 the e-mail 42 and accesses the server 20 in response to an action requesting access to the destination specified in the connection information "connection B". That is, even in the case where the operation sequence is triggered by the access to the destination specified in the connection information "Connection A1", the server delivers 20 in the normal way the service by the information processing device 10 to the Users, and the user is not aware of the theft of the authentication information.

However, the information processing apparatus has 10 and a judgment unit 13 as a processing function of detecting the theft of the authentication information 41 on. The processing function of the assessment unit 13 is executed by executing a program by the in the information processing apparatus 10 included CPU realized. In the example below 1 becomes the processing function of the judgment unit 13 by executing an access control program 15 realized.

If the assessment unit 13 recognizes an action for input to request access to a destination indicated by a connection information draws the judgment unit 13 the connection information in a storage unit 14 on. The assessment unit 13 recognizes, for example, an action by means of which access to a destination specified in the connection information "connection A" or the destination specified in the connection information "connection A1" is requested and stores in the memory unit 14 the connection information "Connection A" or "Connection A1" according to the destination. The storage unit 14 can be arranged externally and with the information processing device 10 be connected.

If the assessment unit 13 recognizes an action for requesting access to a destination indicated by the connection information included in the e-mail receiving unit 12 received e-mail, represents the assessment unit 13 determines if the connection information contained in the from the e-mail receiving unit 12 received e-mail is included in a predetermined part with the in the storage unit 14 recorded connection information is identical. Represents the assessment unit 13 determines that the connection information contained in the e-mail receiving unit 12 received e-mail, in a predetermined part not with that in the storage unit 14 stored connection information is identical, represents the assessment unit 13 the target, which by the in the storage unit 14 stored connection information is specified as an illegal destination. The default part of the connection information is, for example, the domain name in the URL.

For example, if the access processing unit 11 accesses a destination indicated by the connection information "Connection A" or "Connection A1" receives the E-mail receiving unit 12 the e-mail 42 in which the connection information "connection B" is indicated. In this case, put the assessment unit 13 determines an action that gives access to the destination specified in the connection information "Connection B" (as described previously in the e-mail 42 specified) compares the appraisal unit 13 in the predetermined part, the connection information "Connection A" or "Connection A1" (stored in the storage unit 14 is stored) with the connection information "connection B".

The connection information "connection A" (indicating the legal destination) is identical to the connection information "connection B" in the predetermined part. On the other hand, the connection information "connection A1" (indicating the illegal destination) in the predetermined part is not identical with the connection information "connection B". Therefore, the assessment unit 13 notice that the connection information "Connection A1" indicates an illegal destination.

2. Second embodiment

The second embodiment will be explained below. The computer network system according to the second embodiment has an electronic commerce server that provides an electronic commerce service so that users can place a goods order through a network. In the second embodiment, as explained below, each customer terminal may also recognize whether authentication information is being transmitted to an illegal destination.

2.1 System configuration

2 shows an example of a configuration of a computer network system according to the second embodiment. In the computer network system 2 , are the personal computers (PC) 100a , to 100c customer terminals used by customers of an electronic commerce service and with a network 200 are connected.

In addition, an EC server 300 (Electronic Commerce) with the network 200 connected. The EC server 300 has functions of a web server and provides the customer end devices 100a to 100c an EC Website, which is a website for the provision of an electronic trading service for the client terminals 100a to 100c is. For example, the customer who owns the PC 100a used by the EC server 300 provided EC website on one (to PC 100a display), select a product to be purchased and place an order via the EC website. Likewise, the customers who own the PCs 100b and 100c to use, also from the EC server 300 received electronic trading service. In addition, the EC server has 300 the function of sending an e-mail to each customer.

Furthermore, it is an illegal server 400 with the network 200 connected, as in 2 and illegally collects customer information from the customer terminals over the network 200 wherein the customer information includes authentication information for and personal information about the customers of the electronic commerce service that the EC server 300 provides. The illegal server 400 provides a phishing website, which is a site for the illegal gathering of customer information.

As explained below, it is the case of the illegal server 400 phishing website provided by a fake website that mimics the real website that the EC server 300 provides. The illegal server 400 informs a customer by e-mail, for example, about the URL of the wrong website. If an access from a client terminal to the URL of the wrong website, the illegal server causes 400 the display device of the customer terminal to display a website of the wrong website and asks the customer terminal, customer information to the illegal server 400 via the displayed website. In this way, the illegal server gets 400 the customer information on the website of the wrong website.

In addition, there is a virus protection update server 500 with the network 200 connected. The antivirus update server 500 is operated, for example, by a manufacturer of an anti-virus program (or a computer virus detection program). The antivirus update server 500 transfers the latest virus protection definition file to the PCs 100a to 100c and arrange the PCs 100a to 100c to update an antivirus program on each of the PCs 100a to 100c is installed.

Each of the PCs 100a to 100c runs a phishing website detection program (also referred to as a monitoring program below) to detect a phishing website and the anti-virus program. If any of the PCs 100a to 100c If you detect access to a phishing Web site by running a phishing Web site detection program, the PC informs the virus protection update server 500 via the URL of the detected phishing website. The antivirus update server 500 Collects one or more URLs of one or more phishing websites from the PCs 100a to 100c and transmits to the PCs 100a to 100c a virus definition file that reflects the result of the collection.

2.2 Hardware construction

3 shows an example of the hardware configuration of the PC 100a in the second embodiment. Although not shown, each of the PCs points 100b and 100c a similar hardware design.

The entire PC 100a is from a CPU (Central Processing Unit) 101 controlled with which a RAM (Random Access Memory) 102 and more than one peripheral device by a bus 109 are connected. The RAM 102 serves as the main memory of the PC 100a temporarily stores at least parts of it through the CPU 101 programs to be executed and various types of data for those of the CPU 101 processing is required, the programs having an operating system (OS) program and application programs. The more than one peripheral devices connected to the bus 108 include an HDD (Hard Disk Drive) 103 , a graphic interface 104 , an input interface 105 , an optical drive device 106 , and a communication interface 107 ,

The HDD 103 writes and reads data magnetically on and off a magnetic disk in the HDD 103 is installed. The HDD 103 serves as a secondary storage device in the PC 100a , The HDD 103 stores various data and programs by the CPU 101 The programs are the OS (Operating System) and application programs. Alternatively, a semiconductor memory device such as a flash memory may be used as the secondary storage device.

A monitor 104a is with the graphic interface 104 connected. The graphic interface 104 causes an image to be displayed on a screen according to a command from the CPU 101 , At the monitor 104a For example, it is a liquid crystal display device. In addition, a keyboard 105a and a mouse 105b with the input interface 105 connected, which from the keyboard 105a and the mouse 105b output signals via the bus 108 to the CPU 101 transfers. The mouse 105b is an example of a pointing device and may be replaced by another pointing device such as a touch screen, a graphics tablet, a touchpad, or a trackball.

The optical drive device 106 reads on an optical disc 106a recorded data 106a using laser light or like that. The optical disc 106a is a portable recording medium on which data is recorded so that the data can be read by light reflection. At the optical disc 106a It may be a DVD (Digital Versatile Disk), a DVD-RAM, a CD-ROM (Compact Disc-Read Only Memory), a CD-R (Recordable) / RW (ReWritable) or the like.

The communication interface 107 is with the network 200 connected, so the pc 100a Data via the communication interface 107 with other devices like the EC server 300 can exchange.

Furthermore, the EC server 300 , the illegal server 400 and the virus protection update server 500 each also by a hardware structure similar to the 3 be realized.

2.3 Screen change on the PC

The following is an example of a screen change on each of the PCs that occurs when the customer performs an electronic trading service through the EC server 300 provided real website receives. In the following explanation, a case exemplifies where the PC 100a using customer receives the electronic trading service.

4 FIG. 14 shows an example of a display of a real site login page according to the second embodiment. FIG. The in 4 displayed browser screen 611 is a (window) screen on the PC 100a connected monitor 104a is displayed when the PC 100a running a web browser program. The browser screen 611 contains a web page display area 611a in which a web page is displayed. In addition, the browser screen 611 a URL indication area 611b in which a URL of the in the web page display area 611a displayed on the web page.

In the example of 4 will appear in the web page display area 611a The real website displayed by the EC server 300 provided. The login page 710 is a web page that is presented to a customer who is registered as a member of the electronic merchant service to enter login information for logging into the real web site. On the login page 710 become input areas 711 and 712 displayed in which a login ID and password must be entered as login information. When a customer enters an action to enter the login ID or password in the input areas 711 respectively. 712 performs and on one on the login page 710 provided login button 713 clicks, the login ID and password are from the PC 100a to the EC server 300 transfer.

The login page 710 For example, if the URL of the login page is displayed 710 in the URL details area 611b is entered and a connection to the URL is requested by an action performed by the customer. Alternatively, the login page 710 in response to a click on a hyperlink provided on a predetermined web page located in the web page display area 611a is displayed. Alternatively, you can also use the login page 710 in response to a click on a hyperlink specified in an email.

The EC server 300 is configured to be able to access a customer database in which customer information, including login IDs and passwords, are stored. If the EC server 300 the login ID and password from the PC 100a receives, compares the EC server 300 the received login ID and password with the customer information in the customer database, and determines if the combination of the received login ID and the password is valid. If the combination of received login ID and password is valid, the EC server sends 300 a confirmation e-mail to the customer's e-mail address associated with the login ID in the customer database, the confirmation e-mail being an e-mail sent to confirm that a Log in has been requested.

5 shows an example of an indication of the confirmation e-mail in the second embodiment. The in 5 displayed screen 612 to display the received e-mail is a screen to display an e-mail received from an e-mail server. The screen 612 to display the received e-mail is one of the screens (windows) on the with the PC 100a connected monitor 104a be displayed when the PC 100a runs an e-mail program. The screen 612 to display the received e-mail has a mail content display area 612a in which the content of a received e-mail is displayed. In the example of 5 becomes one of the EC server 300 sent confirmation e-mail 720 in the mail content display area 612a displayed. In addition, the screen can 612 For example, to display the received e-mail, an address display area 612b and a title display area 612c having an e-mail address of the sender of the received e-mail in the address display area 612b is specified and the title of the received e-mail in the title display area 612c is specified.

If the EC server 300 sends a confirmation e-mail, the EC server generates 300 a confirmation URL for receiving a login confirmation action to be performed by the customer, and writing the generated confirmation URL to the content of the confirmation email. At this point, the EC server is generating 300 the confirmation URL by adding a random string ("xx1yy2zz3" in the example below) 5 ) to the end of the domain name of the EC site. The domain name is in the in the 4 and 5 example, the string "adcdef.co.jp".

In the confirmation e-mail 720 to 5 is one of the EC server 300 generated confirmation URL in the form of a hyperlink 721 shown. After a customer has an action to log into the electronic trading service through the login page 710 in 4 the customer clicks on the hyperlink 721 to the confirmation URL to the EC server 300 to inform that the customer securely logs into the electronic trading service. The destination of the hyperlink 721 is one of the EC server 300 provided website, and the PC 100a accesses the EC server 300 in response to the click on the hyperlink 721 to. If the EC server 300 recognizes access to the confirmation URL is provided by the EC server 300 determines that the authentication of the user is successful. Then the EC server initiates 300 the pc 100a (as the source of access to the confirmation URL) to display a member web page (ie, a web page intended only for the members in the electronic commerce service).

6 shows an example of the display of a member website in the second embodiment. In the web page display area 611a of the browser screen 611 in 6 is an example of a member website 730 shown. For example, on the members website 730 a goods list display area 731 provided, the goods list display area 731 contains a list of goods that the customer can purchase. The customer can thus place an order for one or more of the goods by entering the details of the one or more goods in the mentioned, in the goods list display area 731 displayed goods performs appropriate actions.

As in the 4 to 6 specified, the EC server performs 300 for authenticating a customer requesting login, the first authentication based on the combination of the login ID and the password and the second authentication based on the access to the randomly generated confirmation URL by. If the first authentication and the second authentication are successful, the EC server allows 300 to browse the customer in member websites. The EC server 300 In this way, it can prevent illegal access, such as by customer identity fraud, by performing said dual authentication.

The following is the screen change in the PC 100a in the case where a customer receives an electronic commerce service through a fake website that is a phishing site. The following explanations assume that originally the illegal server 400 the pc 100a sent a URL notification email to the PC 100a An URL of a login web page in the wrong website tells.

7 In the context of the second embodiment, shows an example of a display of a URL notification e-mail received from an illegal server. In the mail content display area 612a according to 7 becomes the content of a URL notification e-mail 740 represented which the illegal server 400 sent. In the mail content display area 612a is the one in the URL notification email 740 contained URL in the form of a hyperlink 741 shown.

In some cases it is in the from the illegal server 400 transmitted URL notification email obfuscates the email address of the source of the URL notification email. In the example in 7 is the one in the address display area 612b specified domain name disguised as "abcdef.co.jp" in the source address, which is the domain name of the real site.

However, the goal of the hyperlink is 741 a login website in the wrong website, which is the illegal server 400 provides. Clicks the customer who has the PC 100a used on the hyperlink 741 , the pc attacks 100a on the illegal server 400 to. Detects the illegal server 400 access to the login website in the wrong site, the illegal server leaves 400 the pc 100a (as the source of access) to the wrong web site login page.

8th shows an example of a display of a login page in a wrong website in connection with the second embodiment. On the in 8th displayed browser screen 611 becomes a login webpage 750 a wrong website in the website display area 611a displayed. In the login website 750 are input areas 751 and 752 and a login button 753 intended. The input areas 751 and 752 are each intended to enter the login ID or the password. That is, the login web page 750 the wrong website has a similar structure to the login page 710 the real website, so it's difficult to get the login page 750 the wrong website from the login page 710 to distinguish the real website. The customer therefore performs an action to enter the login ID and password in the input areas 751 respectively. 752 through and click the login button 753 at. Although the customer intends to enter the login ID and password to the EC server 300 Thus, the login ID and password are actually sent from the PC 100a to the illegal server 400 transmitted.

If the illegal server 400 the login ID and password used by the PC 100a sent as described, the illegal server stores 400 the login ID and the password in a storage device or the like, sends the login ID and the password to the EC server 300 and prompts you to log in to the from the EC server 300 provided real website. Subsequently, the EC server leads 300 the aforesaid first authentication based on the login ID and the password provided by the illegal server 400 were received from. During the first authentication, the combination of login ID and password is determined to be valid. Therefore, the EC server transfers 300 the aforementioned confirmation e-mail to the e-mail address of the customer corresponding to the received login ID.

If the pc 100a the confirmation e-mail from the EC server 300 the customer clicks on a hyperlink to a confirmation URL located in the confirmation e-mail (and the one in 5 displayed hyperlink 721 is). The computer 100a accesses the hyperlink to the EC server in response to the click 300 to. If the EC server 300 access from the PC 100a receives the EC server 300 determines that the aforementioned second authentication was successful, and causes the display of a member website on the PC 100a ,

As mentioned before, the PC can become 100a even if he enters the login ID and password into the login website of a wrong website, logging into the real website in a series of steps similar to the sequence of steps taken in the case when the user Customer enters his login ID and password in the login page of the real website. The illegal server 400 can illegally receive the login ID and password while the customer does not notice the illegal phishing.

The antivirus vendor scans the network for phishing sites and updates the virus definition file in the Antivirus program to stop access to the phishing site found by the search. In addition, the virus protection program vendor sometimes updates the virus definition file based on information received from customers who have located a phishing site.

However, there is a gap in time between the appearance of a phishing web site and the output of the virus definition file to the user terminals, which has been updated to prevent access to the phishing web site. Therefore, the damage caused by the theft of customer information by the phishing website may increase before the updated virus definition file is output.

On the other hand, the PCs run 100a to 100c the phishing website detection program (the monitoring program) for detecting phishing websites as well as the anti-virus program. For example, if the phishing site detection program is running, the PC will run 100a through the following operations.

When the phishing website detection program is performed, the PC may 100a recognize access to a phishing website yourself. The computer 100a tells the antivirus update server 500 includes the URL of the detected phishing site and temporarily stores at least the domain name of the URL of the detected phishing site in the virus definition file of the virus protection program that the PC 100a performs.

If the antivirus update server 500 When the URL of the phishing site has been communicated, an examiner working with the antivirus vendor will audit the operations after connecting to the URL of the phishing site based on the URL. If it is determined that the URL's destination is a phishing site, the antivirus update server will prompt you 500 the pc 100a (which detects the phishing website) to permanently store the information previously temporarily stored in the virus definition file.

Furthermore, the virus protection update server generates 500 a virus definition file that lists at least the domain names of the URLs whose destinations were found to be phishing sites, and passes the virus definition file to the PCs 100a to 100c out.

As explained above, the PC saves 100a if the PC running the phishing website detection program 100a A phishing site temporarily detects at least the domain name in the URL of the phishing site in the virus definition file. The computer 100a therefore can directly configure itself to stop accessing the phishing website. In addition, the PC can 100a also access to others Stop phishing sites with the same domain name that provide login web pages and the like for different services. It is thus possible to prevent an increase in the damage caused by the theft of customer information.

2.4 Functions of the devices

The following are the functions that the PCs 100a to 100c , the EC server 300 , the illegal server 400 and the virus protection update server 500 in each case explained in detail.

9 shows examples of processing functions of the EC server 300 and the illegal server 400 in the second embodiment.

Like in the 9 shown is the EC server 300 a service delivery processing unit 310 and an e-mail sending processing unit 320 on. The functions of the service provisioning processing unit 310 and the e-mail sending processing unit 320 can be realized, for example, if the CPU in the EC server 300 runs a predetermined program.

The with the EC server 300 connected storage device stores a goods DB (database) 330 and a customer DB 340 , Information about goods sold to customers are in the goods DB 330 stored in the goods DB 330 stored information includes the goods IDs (for identifying the respective goods), the names and prices of the goods, URLs of web pages indicating details of the goods, and the like.

On the other hand, information about the customers registered as members is in the customer DB 340 saved.

10 shows in the context of the second embodiment, an example of information stored in the customer DB. The customer DB 340 saves a file for each customer. Each file in the customer DB 340 contains, for example, a customer ID (to identify the customer), a password (for which the EC Server 300 customer), the name, address, telephone number and e-mail address of the customer. In the example of 10 It is assumed that the customer ID is also used as the login ID.

Referring again to 9 It can be seen that the service providing processing unit 310 performs the functions of a web server that makes the EC website available to customers. Further, the e-mail transmission processing unit transmits 320 an e-mail in response to a request from the service providing processing unit 310 ,

The service delivery processing unit 310 performs authentication processing in response to a login request from a client terminal, and begins providing member web pages if the authentication is successful. The service delivery processing unit 310 For example, the customer terminal leaves a web page (for example, the member web page 730 in 6 ), which requests the customer to select information about a commodity, and receives the input of information required for the purchase of the commodity (for example, information about a credit card and the delivery destination of the commodity). Thereafter, the service delivery processing unit closes 310 the processing of this purchase.

In the authentication processing in response to the login request, the above-described first and second authentication are performed. Specifically, the service delivery processing unit leaves 310 the customer terminal a login web page according to the 4 and receives a login ID and password from the customer terminal. Subsequently, the service delivery processing unit takes 310 on the customer DB 340 Reference and determines if the combination of received login ID and password is valid. If the combination is considered valid, the service provisioning processing unit 310 determined that the first authentication was successful.

If the first authentication is successful, the service providing processing unit extracts 310 an e-mail address associated with the received login ID and generates a confirmation URL by appending a random string to the end of the domain name of the EC website. After that, the service providing processing unit leaves 310 the e-mail send processing unit 320 a confirmation e-mail to the from the customer DB 340 Send the extracted email address containing the confirmation URL in the content of the confirmation email. Then, when the service delivery processing unit 310 detects the access to the confirmation URL, represents the service provision processing unit 310 determined that the second authentication was successful.

Like in the 9 shown the illegal server 400 an e-mail sending processing unit 410 , a customer information receiving unit 420 and a server access processing unit 430 on. The functions of the e-mail send processing unit 410 , the customer information receiving unit 420 and the server access processing unit 430 can be realized, for example, if the CPU in the illegal server 400 performs a predetermined program.

The e-mail send processing unit 410 sends an IRL message email as in 7 represented to a (in 9 not shown) mail server, wherein the URL notification e-mail is an e-mail for notifying the URL of a login website of a wrong website. The e-mail send processing unit 410 can be in one of the illegal server 400 be arranged different device.

The customer information receiving unit 420 performs functions of a web server which gives the customer a login website of a wrong website (as in 8th shown). If the customer information receiving unit 420 determines the destination specified by the URL contained in the URL notification email leaves the customer information receiving unit 420 the source of the access show the login website of the wrong website. In addition, the customer information receiving unit receives 420 from the access source, a login ID and a password entered in the input areas of the displayed login web page, and records the received login ID and password in a customer information storage unit 440 on.

The server access processing unit 430 accesses the server 300 and receives data of the login web page from the service providing processing unit 310 , The server access processing unit 430 transmits the login ID and password, which the customer information receiving unit 420 received to the service providing processing unit 310 in the EC server 300 through the login page and asks to log in.

11 shows examples of processing functions of the PC 100a as the client terminal and the virus protection update server 500 in connection with the second embodiment. Although the processing capabilities of the PCs 100b and 100c in the 11 not shown, assigns each of the PCs 100b and 100c similar processing functions as the PC 100a ,

As in 11 the PC shows 100a a web browsing processing unit 111 , an e-mail receiving unit 121 , an e-mail display engine 122 , an access restriction processing unit 131 , a connection manipulation detection unit 141 , a log recording unit 142 , an assessment unit 143 and an access restriction control unit 144 on.

The functions of the Web browsing processing unit 111 can be realized, for example, when the CPU 101 of the PC 100a a browser program 110 performs. The web browsing processing unit 111 performs processing to the monitor 104a to cause to display a web page provided by a web server by communicating with the web server, and processing to transfer to the web server information inputted to input areas of the displayed web page, and other processing. The web server with which the web browsing processing unit 111 can, for example, the service provisioning processing unit 310 of the EC server 300 or the customer information receiving unit 420 of the illegal server 400 correspond.

The functions of the e-mail receiving unit 121 and the e-mail display control unit 122 can be realized, for example, when the CPU 101 of the PC 100a an e-mail program 120 performs. The e-mail receiving unit 121 receives emails from the mail server. That of the mail server on the part of the e-mail receiving unit 121 e-mails received include, for example, the confirmation e-mail that the e-mail sending processing unit 320 of the EC server 300 sends the URL message e-mail that the e-mail send processing unit 410 of the illegal server 400 sends, and other emails.

The e-mail display control unit 122 leaves the monitor 104a View emails sent by the email receiving unit 121 were received. Additionally, the e-mail display control unit displays 122 the URL specified in each e-mail in the form of a hyperlink. When the e-mail display control unit 122 notes the action of clicking on a hyperlink in the content of a displayed e-mail requesting the e-mail display control unit 122 the web browsing processing unit 111 to access the destination specified in the clicked hyperlink.

The functions of the access restriction processing unit 131 can be realized, for example, when the CPU 101 in the PC 100a an antivirus program 130 performs. The access restriction processing unit 131 monitors operations of a processing unit in the PC 100a , which accesses an external device, and prohibits access to targets contained in the virus definition file 132 are registered. At the processing unit in the PC 100a that accesses an external device is, among other things, the web browsing processing unit 111 , In addition, the access restriction processing unit updates 131 the virus definition file 132 in response to a request from the antivirus update server 500 or the access restriction control unit 144 ,

12 shows an example of information contained in the virus definition file 132 are stored according to the second embodiment. The virus definition file 312 is for example on the HDD 103 of the PC 100a saved. As in 12 is shown in the virus definition date 132 stored a list of URLs, each of which specifies destinations for which access is prohibited. It is also in the virus definition file 132 Also stored is status information indicating whether each URL is temporary or permanent in the virus definition file 132 is registered. the value of the status information is "0" if the URL is temporarily registered, and "1" if the URL is permanently registered.

As with renewed reference to the 11 can be seen, the functions of the connection manipulation detection unit 141 , the log recording unit 142 , the assessment unit 143 and the access restriction control unit 144 for example, when the CPU is running 101 in the PC 100a a monitoring program 140 (which complies with the aforementioned phishing website detection program). The monitoring program 140 can in the antivirus 130 be included.

If in the content of one on the monitor 104a through the email display control unit 122 displayed email is given a hyperlinked URL, performs the connection manipulation detection unit 141 an operation to detect a click on the hyperlinked URL. When the connection manipulation detection unit 141 detects a click on the hyperlinked URL informs the connection manipulation detection unit 141 the assessment unit 143 via the URL.

The log recording unit 142 stores according to a request from the judgment unit 143 as part of log information 145 a log of the operations which the pc 100a over a period of time, for example in the RAM 102 of the PC 100a ,

13 shows an example of information that is part of the log information 145 stored in the second embodiment. In the 13 Log information displayed includes a history of the operations performed by running the browser program 110 be performed, and a history of operations, by running the e-mail program 120 be performed, which are recorded with time information.

For example, the log recorder records 142 as part of the log information 145 a history of accesses to the web server by the web browsing processing unit 111 on. This will record the URLs of the destinations of the traffic. It also records the log recording unit 142 as part of the log information 145 a history of operations involving the web browsing processing unit 111 to display web pages. Furthermore, the log recorder records 142 as part of the log information 145 a history of operations of receiving data inputs in data entry areas of displayed web pages and a history of operations of detecting the clicking of image links on. This will be part of the log information 145 the input data, the information indicating the positions of the input areas over which the data are input, the information indicating the positions of the clicked image links, and other information are stored. Furthermore, the log recorder records 142 as part of the log information 145 a history of operations of receiving e-mails by the e-mail receiving unit 121 on. This will include the addresses of the sources and destinations of the received emails and other information as part of the log information 145 saved. Furthermore, the log recorder records 142 as part of the log information 145 a history of operations of detecting clicks on hyperlinked URLs in emails sent by the email display engine 122 are displayed. This will include the clicked URLs and other information as part of the log information 145 recorded.

Referring again to the 11 is described below that the assessment unit 143 based on the URL from which the appraisal unit 143 by the connection manipulation detection unit 141 has been informed determines if a phishing site is being accessed. If the assessment unit 143 by the connection manipulation detection unit 141 the URL is informed stores the assessment unit 143 the URL for example in RAM 102 of the PC 100a and causes the log recording unit 142 to start recording the log.

If the assessment unit 143 by the connection manipulation detection unit 141 is again informed of the URL mentioned, causes the assessment unit 143 then the log recording unit 142 To stop logging the log, and compare the domain name in the URL from which the appraisal unit 143 was informed with the domain name in RAM 102 saved URL. If the mentioned domain names are not identical, the appraisal unit provides 143 that's the one in RAM 102 stored URL specified a phishing Website is, ie, the assessment unit 143 detects a phishing website.

The access restriction control unit 144 requests the access restriction processing unit 131 on, the url of the appraisal unit 143 detected phishing site temporarily in the virus definition file 132 to register. In addition, the access restriction control unit sends 144 to the virus protection update server 500 the log information 145 and the URL of the detected phishing site and request the antivirus update server 500 to check the phishing site identified by the URL.

After the virus protection update server 500 The request for review receives the access restriction control unit 144 from the antivirus update server 500 a command indicating whether the temporary in the virus definition file 132 registered URL should be permanently registered. Will the access restriction control unit 144 instructed to permanently register the URL, the access restriction control unit requests 144 the access restriction processing unit 131 to permanently register the temporarily registered URL. On the other hand, if the access restriction control unit 144 is instructed not to permanently register the URL, the access restriction control unit requests 144 the access restriction processing unit 131 on, the temporarily registered URL from the virus definition file 132 to delete.

Like in the 11 The antivirus update server also illustrates 500 a receiving unit 510 , a test unit 520 and an update request unit 530 on. The functions of the receiving unit 510 , the test unit 520 and the update request unit 530 can be realized, for example, when a CPU in the antivirus update server 500 runs a predetermined program. The receiving unit 510 receives the URL of the phishing website and the log information from the access restriction control unit 144 the customer terminal, for example, the PC 100a ). the test unit 520 performs processing in support of examining the issue by whether the target is from the receiving unit 510 URL received is a phishing website. The test unit 520 For example, the display device displays the received log information. The reviewing operator uses the displayed log information, performs an action that causes the antivirus update server 500 accesses the Web site specified by the receiving URL, and checks to see if it is in the antivirus update server 500 Similar operations are performed as in the customer terminal. If the result of the check in the antivirus update server 500 entered, informs the test unit 520 the update request unit 530 from the result of the test. If that of the test unit 520 Supported testing yields that from the URL, which is the antivirus update server 500 from the access restriction control unit 144 the specified destination is a phishing site, the update request unit indicates 530 that of the access restriction control unit 144 in the client terminal (which contains the virus protection update server 500 from the URL) temporarily in the virus definition file 132 save saved URL permanently. Further, the update request unit informs 530 the other customer terminals (that of the customer terminal that has the anti-virus update server 500 has informed the URL, various customer terminals) of the URL whose destination was identified as the phishing website, and requests the other client terminals to enter the URL in the virus definition file 132 to register. If, on the other hand, that of the test unit 520 The result of this check is that of the URL, which is the antivirus update server 500 from the access restriction control unit 144 the specified destination is not a phishing site, the update request unit instructs 530 the access restriction control unit 144 in the client terminal (which contains the virus protection update server 500 from the URL) to the temporarily registered URL in the antivirus file 132 to delete.

2.5 Operation Sequence

The 14 and 15 in the context of the second embodiment, reproduce the first and second parts of an operation sequence that is executed when the PC 100a accessing an EC website through a phishing website.

<Step S101> The E-mail Send Processing Unit 410 of the illegal server 400 transfers to the PC 100a a URL notification email specifying the URL of an incorrect login web page and the email receiving unit 121 of the PC 100a receives the URL notification email.

<Step S102> The e-mail display control unit 122 in the PC 100a leaves the monitor 104a display the URL notification e-mail received in step S101. If the PC has an action of clicking on the hyperlinked URL specified in the URL notification e-mail, the e-mail display controller requests 122 the web browsing processing unit 111 of the PC 100a on, on the target specified by the clicked URL (the illegal server 400 ). Here, the connection manipulation detection unit recognizes 141 in the PC 100a clicking the hyperlinked URL, and the web browsing processing unit 111 accesses the illegal server 400 in response to the request from the e-mail display controller 122 to.

<Step S103> When the connection manipulation detection unit 141 Clicking on the hyperlinked URL will draw the appraisal unit 143 in the PC 100a the URL in the RAM 102 and assigns the log recording unit 142 to start recording a log.

<Step S104> In response to the access to the step S102, the customer information receiving unit initiates 420 in the illegal server 400 the PC 100a to display a wrong login web page. Thereafter, the web browsing processing unit initiates 111 of the PC 100a the monitor 104a to display the wrong login web page.

After the PC 100a has detected the input of a login ID and a password in input areas of the displayed login web page receives the web browsing processing unit 111 an action to select a login button in the login page. In response to the action of selecting the login button, the web browsing processing unit transmits 111 the entered login ID and password to the illegal server 400 ,

<Step S105> The customer information receiving unit 420 in the illegal server 400 receives the login ID and password from the PC 100a and stores the login ID and password in the customer information storage unit 440 , In addition, the server access processing unit accesses 430 in the illegal server 400 on the EC server 300 to. Subsequently, the server access processing unit receives 430 from the EC server 300 Data for displaying a login web page on the EC website, received from the PC 100a a login ID and password based on the received data of the login web page, transmits the received login ID and password to the EC server 300 , and asks you to log into the EC website.

<Step S106> The service providing processing unit 310 in the EC server 300 performs the first authentication based on the login ID and password used by the illegal server 400 from being received by. In particular, the service provisioning processing unit searches 310 in the customer DB 340 after the received login ID, extracts a password associated with the searched login ID and determines if the extracted password is identical to the received password. If the passwords are identical, represents the service provision processing unit 310 determined that the first authentication was successful.

<Step S107> If the first authentication is judged successful, the service providing processing unit extracts 310 from the customer DB 340 an e-mail address associated with the login ID searched in step S106 and generates a confirmation URL. Subsequently, the service delivery processing unit writes 310 the confirmation URL in the content of a confirmation e-mail and causes the e-mail sending processing unit 320 in the EC server 300 to transfer the confirmation e-mail to the one from the customer DB 340 extracted e-mail address.

<Step S108> The e-mail receiving unit 121 in the PC 100a receives the confirmation e-mail, and the e-mail display control unit 122 initiates the monitor 104a to display the received confirmation e-mail. When the e-mail display control unit 122 the action of clicking on the confirmation URL (which is hyperlinked) in the received confirmation e-mail requests the e-mail display control unit 122 the web browsing processing unit 111 in the PC 100a to, on the destination specified by the clicked URL (the EC server 300 ). Here, the connection manipulation detection unit recognizes 141 in the PC 100a clicking the hyperlinked confirmation URL. The web browsing processing unit 111 accesses the EC server 300 in response to the request from the e-mail display controller 122 to.

<Step S109> When the service providing processing unit 310 in the EC server 300 access to the confirmation e-mail from the PC 100a within a predetermined period of time after transmitting the confirmation e-mail in step S107, the service providing processing unit sets 310 determined that the second authentication was successful.

<Step S110> When the service providing processing unit 310 determines that the second authentication was successful, the service providing processing unit starts 310 By providing the electronic trading service by the PC 100a (which is the starting point of access) causes a member web page to be displayed. Furthermore, a processing for a further authentication (which is referred to in the following as third authentication) between the processing for the first authentication (in step S106) and the processing for the second authentication (in step S109). When the service delivery processing unit 310 in the EC server 300 For example, if it is determined that the first authentication was successful (step S106), the service providing processing unit may 310 initiate a call of the telephone number which of the login ID in the customer DB 340 assigned. The service delivery processing unit 310 can automatically send a tone to the other party and determine based on the operation of a key on the phone of the other party or the like, whether the other party has securely performed the login action. Represents the service delivery processing unit 310 determines that the other party has safely performed the action for login, the service providing processing unit 310 determine that the third authentication was successful, and the e-mail send processing unit 320 to transmit the confirmation e-mail (in step S107).

Alternatively, the service delivery processing unit 310 when the service providing processing unit 310 determines that the first authentication was successful (step S106), the e-mail transmission processing unit 320 to send an e-mail to the e-mail address associated with the login ID. If the EC server 300 receives an e-mail in response to the transmitted e-mail, the service providing processing unit may 310 determine that the third authentication was successful, and the e-mail send processing unit 320 for transmitting a confirmation e-mail (step S107).

<Step S111> When the connection manipulation detection unit 141 in the PC 100a detects the clicking of the hyperlinked confirmation URL in step S108, constitutes the judgment unit 143 in the PC 100a determines whether the domain name in the confirmation URL with the domain name in the RAM in step S103 102 stored URL is identical. If the domain names are not identical, the web page specified as the destination in step S102 is not a web page accessed by the EC server 300 presented legal EC website. In this case, the assessment unit informs 143 the access restriction control unit 144 in the PC 100a that a phishing website has been detected and informs the access restriction control unit 144 that in step S103 in the RAM 102 saved URL is the URL of the phishing website.

<Step S112> The access restriction control unit 144 sends to the antivirus update server 500 the URL from which the access restriction control unit 144 through the assessment unit 143 was informed, as well as that of the log recording unit 142 recorded log information.

<Step S113> The access restriction control unit 144 requests the access restriction processing unit 131 in the PC 100a on, the URL from which the access restriction control unit 144 through the assessment unit 143 was informed, temporarily in the virus definition file 132 to register. Subsequently, the access restriction processing unit registers 131 temporarily store the temporary URL by specifying the URL of the virus definition file 132 and sets the status information associated with the added URL to "0". In this way, the access restriction processing unit 131 the pc 100a immediately to stop further access to the site that is considered the phishing site.

In the aforementioned temporary registration, the access restriction processing unit registers 131 in the virus definition file 132 For example, just a string from the beginning part of the domain name of the URL. If the web browsing processing unit 111 attempts to access a destination with the same domain name, the access restriction processing unit 131 therefore stop the access attempt.

For example, suppose that the illegal server 400 also provides one or more false login web pages that mimic one or more websites that are from the EC website of the EC server 300 are different. In this case, the illegal server distributes 400 the one or more URLs of the one or more other websites using URL notification emails. In many cases, the URLs of Web pages served by an illegal server have the same domain name. Therefore, if the domain name in the URL that was found to target a phishing site is in the virus definition file 132 is registered, the access restriction processing unit 131 the attempt of the web browsing processing unit 111 stop accessing the one or more incorrect login webpages that mimic one or more other websites. It is thus possible to further steal login IDs or passwords in the one or more other websites through the illegal server 400 to prevent.

<Step S114> The receiving unit 510 in the antivirus update server 500 supplies the test unit 520 the URL and the log information, which of the access restriction control unit 144 of the PC 100a were received from. Then the test unit leads 520 a processing to support the work of checking whether that from the receiving unit 510 received URL is a phishing site, through.

For example, the test unit initiates 520 the display device for displaying the received log information. Thereafter, the operator performing the check performs the check by referring to the displayed log information. For example, the operator serves the virus protection update server 500 such that this is a member registration in the EC server 300 through the illegal server 400 reached. Then the operator serves the virus protection update server 500 to get that through by the receiving unit 510 received URL specified destination (the illegal server 400 ), and checks to see if any operations are being performed by the PC 100a performed operations are similar. If the log information as well as the URL from the PC 100a to the virus protection update server 500 can be transferred, the efficiency and precision of the test can be increased. Alternatively, the test unit 520 automatically perform part of the operations that are otherwise actions of the operator based on the log information. The part of the operations performed by the test unit 520 automatically done, can access the illegal server 400 and the EC server 300 include.

As another alternative, the test unit 520 perform a processing for a check that is not based on the log information. The test unit 520 transmits, for example, from the PC 100a Receive URL to a database server that stores the URLs of phishing sites and ask if the destination specified by the submitted URL is a phishing site.

<Step S115> When the destination indicated by the URL is detected by the check as a phishing Web site, the operator enters the virus protection update server 500 Information about the finding by the examination. Subsequently, the test unit receives 520 the information about the determination and requests the update request unit 530 to perform an operation to update the virus definition file 132 on.

<Step S116> The update request unit 530 assigns the pc 100a (from which the URL and the log information were transmitted) that are in the virus definition file 132 to register permanently stored URL permanently.

<Step S117> In response to the instruction from the update requesting unit 530 of the virus protection update server 500 calls the access restriction control unit 144 of the PC 100a the access restriction processing unit 131 in step S113 of the virus definition file 132 to permanently register the added URL. The access restriction processing unit 131 then registers the virus definition file in step S113 132 Added URL permanently by changing the status information of the added URL from "0" to "1".

<Step S118> The update request unit 530 in the antivirus update server 500 informs the other customer end devices (the PCs 100b and 100c in this example) in which the antivirus program 130 each is installed from the URL that the antivirus update server 500 from the PC 100a in step S112, and requests an update of the virus definition file 132 in every customer terminal.

<Step S119> In response to the request of updating the virus definition file 132 registers the access restriction processing unit 131 in the PC 100b In addition, the URL from which the PC 100b was informed (or the part of the URL from the initial bit to the domain name), in the HDD of the PC 100b saved virus definition file 132 , In this case, the status information of the additionally registered URL is set to "1".

<Step S120> Similarly, the access restriction processing unit registers 131 in the PC 100c in response to the request for an update of the virus definition file 132 In addition, the URL from which the PC 100c was informed (or the part of the URL from the initial bit to the domain name), in the HDD of the PC 100c saved virus definition file 132 , In this case, the status information of the additionally registered URL is set to "1".

As previously in connection with the processing according to the 14 and 15 described compares the assessment unit 143 of the PC 100a the domain name in the URL of the login web page stored in step S103 with the domain name of the URL included in the confirmation e-mail received in step S107. If the compared domain names are not identical, the appraisal unit issues 143 notices that the login web page is a phishing site. Thus, the customer terminal can detect the phishing website.

In addition, the access restriction control unit demands 144 , if the judging unit 143 recognize a website as a phishing site, the access restriction processing unit 131 on, the URL of the web page temporarily in the virus definition file 132 to register without checking by the antivirus update server 500 waiting. It is thus possible to directly prohibit access to the said website. Since the domain name is registered in the URL when the URL is temporarily registered, it is possible for the illegal server to incur theft of authentication information used to log in to other web servers 400 Immediately prevent and thus the damage to the customer, the PC 100a uses, reduce.

Furthermore, the access restriction control unit provides 144 based on the scan result of the virus protection update server 500 Determine if the temporary in the virus definition file 132 registered URL should be permanently registered. It is thus possible to increase the accuracy of the detection of the phishing website and to reduce the possibility that the access restriction processing unit 131 mistakenly denies access to sites other than the phishing site.

16 shows a processing flow that the PC 100a according to the monitoring program 140 performs according to the second embodiment.

<Step S131> The connection manipulation detection unit 141 monitors the actions of the customer in relation to clicking on a first URL, in the form of a hyperlink in a first e-mail on the monitor 104a under the control of the e-mail display control unit 122 is shown. When the connection manipulation detection unit 141 detects a click on the first URL, the process proceeds to step S132.

<Step S132> The judgment unit 143 draws in the RAM 102 the URL clicked on in step S131.

<Step S133> The judgment unit 143 requests the log recording unit 142 to start recording a log. Thereafter, the log recording unit starts 142 with recording a log that forms part of the log information.

<Step S134> The connection manipulation detection unit 141 monitors the actions of the customer in relation to the clicking on a second URL, which in the form of a hyperlink in a second e-mail on the monitor 104a under the control of the e-mail display control unit 122 is shown. When the connection manipulation detection unit 141 detects a click on the second URL, the process proceeds to step S135.

However, if no clicking of the second URL is detected, for example, within a predetermined period of time after the recognition of the click in step S131, the judging unit may 143 in step S132 in RAM 102 delete stored first URL, stopping the log recording by the log recording unit 142 cause and the recorded log information 145 Clear.

<Step S135> The judgment unit 143 initiates the completion of the log recording by the log recording unit 142 ,

<Step S136> The judgment unit 143 compares the domain name of the first URL stored in RAM in step S132 102 was stored with the domain name of the second URL thickened in step S134. If the first and second URLs are identical, the flow advances to step S137. If the first and second URLs are not identical, the flow advances to step S138.

<Step S137> The judgment unit 143 clears the RAM in step S132 102 stored first URL and also deletes the recorded log information 145 , Subsequently, the flow returns to step S131.

<Step S138> The judgment unit 143 informs the access restriction control unit 144 from the RAM in step S132 102 stored first URL. Subsequently, the access restriction control unit transmits 144 the first URL from which the assessment unit 143 the access restriction control unit 144 has informed, and that of the log recording unit 142 recorded log information 145 to the virus protection update server 500 ,

<Step S139> The access restriction control unit 144 requests the access restriction processing unit 131 on, the (first) URL from which the assessment unit 143 the access restriction control unit 144 has informed, temporarily in the virus definition file 132 to register. Thereafter, the access restriction processing unit registers 131 To temporarily register the URL to be registered by passing the URL (or part of the URL from the initial bit to the domain name) of the virus definition file 132 adds and sets the corresponding status information to "0".

Alternatively, the operations performed in step S139 may be performed before the operations of step S138.

<Step S140> The access restriction control unit 144 waits for a command from the antivirus update server 500 , If the access restriction control unit 144 from the antivirus update server 500 is instructed to permanently register the temporarily registered URL, the flow proceeds to step S141. If the access restriction control unit 144 from the antivirus update server 500 is instructed to delete the temporarily registered URL, the flow proceeds to step S142.

<Step S141> The access restriction control unit 144 requests the access restriction processing unit 131 on, the virus definition file 132 permanently registering URLs added in step S139. Subsequently, the access restriction processing unit registers 131 the in the virus definition file 132 temporarily registered URL in step S139, by changing the status information associated with the added URL from "0" to "1". Thereafter, the flow returns to step S131.

<Step S142> The access restriction control unit 144 requests the access restriction processing unit 131 on, the virus definition file 132 delete URL added in step S139. Subsequently, the access restriction processing unit deletes 131 the virus definition file 132 URL added in step S139. Thereafter, the process returns to step 131 back.

3. Third embodiment

The third embodiment will be explained below. In the computer network system according to the second embodiment, each PC recognizes the clicking of a URL indicating a login web page contained in an e-mail. On the other hand, the computer network according to the third embodiment is further configured to determine whether or not a login web page connected to each of the PCs in response to hyperlink linking on a web page is a phishing web site.

17 shows examples of the processing functions of a PC 100a ' in the third embodiment. In 17 are elements that elements in 11 correspond with the same reference numerals as in 11 Mistake.

In 17 monitors the connection manipulation detection unit 141 ' in the PC 100a ' the actions of the customer regarding the click of a URL in one on the monitor 104a through the email display control unit 122 displayed email. In addition, the connection manipulation detection unit monitors 141 ' also the actions of the customer regarding the clicking of a URL in one of the web browsing processing unit 111 on the monitor 104a displayed email.

The connection manipulation detection unit 141 ' , the log recording unit 142 ' , the assessment unit 143 ' and the access restriction control unit 144 ' can the in 18 and the operations of the connection manipulation detection unit 141 , the log recording unit 142 , the assessment unit 143 and the access restriction control unit 144 performed operations according to 16 carry out.

18 Fig. 12 shows a processing flow of the PC 100a ' according to a monitoring program 140 ' is performed according to the third embodiment.

<Step S161> The connection manipulation detection unit 141 ' monitors the actions of the customer regarding the clicking of a hyperlink in a first web page, which is displayed on the monitor 104a from the web browsing processing unit 111 is shown. Detects the connection manipulation detection unit 141 ' a click on the hyperlink, the flow proceeds to step S162. This is where the web browsing processing unit attacks 111 to the target associated with the clicked hyperlink and causes the monitor 104a to display a new website.

<Step S162> The judgment unit 143 ' draws in RAM 102 a destination associated with the URL appended in step S161.

<Step S163> The judgment unit 143 ' requests the log recording unit 142 ' to start recording a log. Then the log recording starts 142 ' with recording a log as log information 145 ,

<Step S164> The connection manipulation detection unit 141 ' monitors the customer's actions for clicking a hyperlink specified in a second web page that the monitor uses 104a under the control of the web browsing processing unit 111 is shown. If no clicking of the hyperlink is detected within a predetermined period of time, the flow advances to step S166. When the connection manipulation detection unit 141 ' however, if it detects a click of the hyperlink, the flow advances to step S165.

The of the connection manipulation detection unit 141 ' action detected in the respective steps S161 and S164 is a click on a hyperlink to the connection of the PC 100a ' with a another web page and, for example, a click on a "send" button intended to transmit input information is not recognized in any of steps S161 and S164.

<Step S165> If in step S164 the hyperlink to the connection of the PC 100a ' is clicked on with another website deletes the assessment unit 143 ' in step S162 in the RAM 102 saved URL. In addition, the assessment unit initiates 143 ' the log recording unit 142 ' recording the log as log information 145 to terminate and cause the log recording unit 142 ' , the recorded log information 145 to delete. If the operation is performed in step S162 after the operation in step S165, the URL associated with the hyperlink attached in the previous operation in step S164 is stored in RAM in step S162 102 saved.

If in step S164 the hyperlink for connecting the PC 100a ' clicked on with another web page is the second web page used by the web browsing processing unit 111 is displayed immediately before the start of the operations of step S164, neither a login web page provided by the EC server nor an incorrect login web page which the illegal server 400 supplies. This is because if the second web page is a login web page, the PC 100a ' receive a confirmation e-mail and click on the URL specified in the confirmation e-mail before an action to connect the PC 100a ' with another website. The click on the URL in the confirmation e-mail is recognized in step S166.

<Step S166> The connection manipulation detection unit 141 ' monitors the actions of the customer regarding the clicking of a URL which is indicated as a hyperlink in an e-mail controlled by the e-mail display control unit 122 on the monitor 104a is shown. Will not be clicking the URL in said e-mail within a predetermined period of time by the link manipulation detection unit 141 ' recognized, the process proceeds to step S164. On the other hand, if the connection manipulation detection unit 141 ' detects a click on the URL in the e-mail, the flow proceeds to step S167.

The operations in subsequent steps S167 to S174 are respectively the operations in steps S135 to S142 in FIG 16 similar.

<Step S167> The judgment unit 143 ' initiates the log recording unit 142 ' to finish the log.

<Step S168> The judgment unit 143 ' compares the domain name in RAM in step S162 102 recorded URL with the domain name in the URL clicked in step S166. If the URLs are identical, the flow advances to step S169. If the URLs are not identical, the flow advances to step S170.

<Step S169> The judgment unit 143 ' deletes those in the RAM 102 URL stored in step S162 and also clears the recorded log information 145 , Subsequently, the flow returns to step S161.

<Step S170> The judgment unit 143 ' informs the access restriction control unit 144 ' from the one in the RAM 102 URL recorded in step S162. Subsequently, the access restriction control unit transmits 144 ' to the virus protection update server 500 the URL through which the access restriction control unit 144 ' from the assessment unit 143 ' was informed, and by the log recording unit 142 ' recorded log information 145 ,

<Step S171> The access restriction control unit 144 ' causes the access restriction processing unit 131 the URL through which the access restriction control unit 144 ' from the assessment unit 143 ' was temporarily in the virus definition file 132 save.

Alternatively, the operation performed in step S171 may be performed before the operations in step S170.

<Step S172> When the access restriction control unit 144 ' from the antivirus update server 500 is instructed to permanently register the temporarily registered URL, the process proceeds to step S173. If the access restriction control unit 144 ' from the antivirus update server 500 is instructed to delete the temporarily registered URL, the flow proceeds to step S174.

<Step S173> The access restriction control unit 144 ' causes the access restriction processing unit 131 in step S171 of the virus definition file 132 to permanently register the added URL. Subsequently, the flow returns to step S161.

<Step S174> The access restriction control unit 144 ' causes the access restriction processing unit 131 in step S171 of the virus definition file 132 delete added URL. Then, it clears the access restriction processing unit 131 the in step S171 of the virus definition file 132 added url. The flow then returns to step S161.

As previously explained, according to the operation sequence 18 , the computer 100a ' recognize that the pc 100a ' in response to clicking a hyperlink in a web page is connected to a phishing website and the authentication information to an illegal server 400 be transmitted.

4. Recording media storage program

The processing functions according to the first to third embodiments can be realized by means of a computer. In this case, a program is provided which describes the details of the processing for implementing the functions of the first to third embodiments. When a computer executes the program describing the details of the processing for implementing the functions of the first to third embodiments, the processing functions on the computer can be realized.

The program describing the details of the processing may be stored in a computer readable recording medium that can be read by the computer. The computer-readable recording medium may be a magnetic recording device, an optical disk, an optical-magnetic recording medium, a semiconductor memory, or the like. The magnetic recording device may be a hard disk drive (HDD), a flexible disk (FD), a magnetic tape, or the like. The optical disc may be a DVD (Digital Versatile Disc), a DVD-RAM (Random Access Memory), a CD-ROM (Compact Disc-Read Only Memory), a CD-RW (ReWritable) or the like. The optical magnetic recording medium may be a MO (Magneto-Optical Disc) or the like.

For example, in order to put the program on the market, it is possible to sell a portable recording medium such as a DVD or a CD-ROM on which the program is recorded. Alternatively, it is possible to store the program in a storage device belonging to a server computer and to transmit the program via a network to another computer.

The computer which executes the program according to the first to third embodiments stores the program in a storage device of the computer, the program originally being stored, for example, on a portable recording medium or originally transmitted from the server computer. The computer reads the program from the storage device and performs processing in accordance with the program. Alternatively, the computer may read the program directly from the portable recording medium to perform the processing according to the program. According to another alternative, each computer may execute the processing sequentially corresponding to each section of a program each time the section of the program is transmitted from the server computer.

5. Other

All stated examples and conditional phrases are for educational purposes to assist the reader in understanding the invention and the concepts advanced by the inventors to advance the art, and are not to be construed as limited to such specific examples and conditions, nor does the arrangement of US Pat Examples in the description an over or subordinate ranking in the context of the invention. Although the embodiments of the invention have been described in detail, it should be understood that various changes, substitutions and alterations can be made without departing from the scope of the invention.

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• JP 2002-91917 [0003]
• JP 2002-288134 [0004]
• JP 2004-64215 [0004]

Claims (15)

A computer program executed by a computer connected to a server which transmits an e-mail, transmits the first connection information to an address associated with authentication information when the server receives the authentication information, and allows a service to be supplied by a device, which is a source of authentication information when the server obtains access to a destination indicated by the first connection information, the computer being able to perform processing based on screen data generated in response to access by a second computer Connection information received destination to effect the display of an input screen on a display device, and to transmit the authentication information to a device which is the source of the screen data, when the Authentisierungsi entered into an input area within the input screen, and wherein the computer program causes the computer to execute a sequence comprising the steps of: Recording the second connection information in a storage device when the computer detects an operation of the computer for the purpose of requesting access to a destination indicated by the second connection information; and Determining whether the first connection information in a predetermined part is identical with the second connection information stored in the storage means when the computer receives the e-mail containing the first connection information and an action of the computer for the purpose of requesting access to one recognizes the first connection information specified destination. The computer program of claim 1, wherein the process further comprises prohibiting access to a destination indicated in connection information identical to the second connection information in the predetermined area if it is determined that the first connection information is not in the predetermined area are identical to the second connection information stored in the memory device. A computer program according to claim 1 or 2, wherein, when the first connection information as in the predetermined area is not identically detected with the second connection information stored in the storage means, the process further comprises the step of sending the second connection information to a connection information collection server connected to the computer includes and collects connection information, and the step of determining, according to a command from the side of the connection information collection server, whether the setting for prohibiting access to a destination indicated by connection information identical to the second connection information in the predetermined area includes is to be maintained. A computer program as claimed in any one of claims 1 to 3, wherein the process further comprises the step of logging information about operations performed by the computer upon detecting a computer action requesting access to the destination specified in the second connection information until a computer action is detected Storing the request for access to the destination specified by the first connection information in the storage device, and further comprising the step of sending the log information to the connection information collection server when it is determined that the first connection information in the predetermined area does not match the second connection information are identical. A computer program according to any one of claims 1 to 4, wherein upon detecting a computer action requesting access to the destination indicated in the second connection information, the computer recognizes an action for selecting an indication of the second connection information contained in an e-mail which the computer has received before the computer receives the e-mail containing the first connection information. An information processing apparatus connected to a server which transmits an e-mail, transmits the first connection information to an address associated with authentication information when the server receives the authentication information, and allows delivery of a service by a device which is a source of authentication information; when the server obtains access to a destination indicated by the first connection information, the information processing apparatus comprising: authentication information transmitting means that causes a display device to display an input screen based on screen data received in response to access to a destination indicated by the second connection information , and which sends the authentication information to a device that is the source of the data, if the Authentication information has been input to an input area of the input screen; and judging means storing the second connection information in a storage means when the information processing apparatus recognizes an action of the information processing apparatus to request access to the destination indicated by the second connection information, and determines whether the first connection information in a predetermined area matches that in the storage means stored second connection information are identical when the information processing apparatus receives the e-mail containing the first connection information, and detects an action of the information processing apparatus for requesting access to the destination specified in the first connection information. The information processing apparatus according to claim 6, further comprising an access restriction processing unit prohibiting access to a destination indicated by connection information identical to the second connection information stored in the predetermined area in the predetermined area when the first connection information is in the predetermined area not identically identified with the second connection information stored in the storage means. An information processing apparatus according to claim 6 or 7, wherein, when the first connection information as in the predetermined area is not identically detected with the second connection information stored in the storage means, the judging means transmits the second connection information to a connection information collection server connected to the computer and connection information and the access restriction processing unit determines, according to a command from the connection information collection server side, whether the setting for prohibiting access to a destination indicated by connection information identical in the predetermined area with the second connection information stored in the storage device is maintained is. An information processing apparatus according to any one of claims 6 to 8, further comprising log recording means for logging information on operations performed by the information processing apparatus upon detecting an action of the information processing apparatus to request access to the destination specified in the second connection information until detection of an action of To store information processing apparatus for requesting access to the destination indicated by the first connection information in the storage means, wherein the judgment unit sends the log information to the connection information collection server, the first connection information as identical to the second connection information stored in the predetermined means in the predetermined area become. An information processing apparatus according to any one of claims 6 to 9, wherein upon judging an action of the information processing apparatus for requesting access to the destination indicated in the second connection information, the judging unit recognizes an action for selecting an indication of the second connection information included in an e-mail which the information processing apparatus has received before the information processing apparatus receives the e-mail containing the first connection information. An access control method executed by an information processing apparatus connected to a server which transmits an e-mail, transmits the first connection information to an address associated with authentication information when the server receives the authentication information, and allows delivery of a service by a device having a The source of authentication information is when the server obtains access to a destination specified by the first connection information, the access monitoring method comprising the steps of: recording the second connection information in a storage device if the information processing device requires an operation of the information processing device for the purpose of requesting access to a recognizes destination indicated by the second connection information; Causing display of an input screen by a display device based on screen data received in response to access to the one by the second connection information; Sending the authentication information to a source of the screen data device when the authentication information is input to an input area provided in the input screen; and determining whether the first connection information in a predetermined part is identical with the second connection information stored in the storage device when the information processing device receives the e-mail containing the first connection information and an action of the information connection device for the purpose of requesting access to one recognizes the destination specified by the first connection information. The access control method according to claim 11, further comprising the step of prohibiting the access to a destination specified in connection information identical to the second connection information in the predetermined area if it is determined that the first connection information in the predetermined area does not match with the first connection information are identical in the memory device stored second connection information. The access control program according to claim 11 or 12, wherein, when the first connection information as the second connection information stored in the predetermined area is not identically detected, the access control program further comprises the step of sending the second connection information to a connection information collection server connected to the computer includes and collects connection information, and the step of determining, according to a command from the side of the connection information collection server, whether the setting for prohibiting access to a destination indicated by connection information identical to the second connection information in the predetermined area includes is to be maintained. The access control program according to any one of claims 11 to 13, further comprising the step of logging information about operations performed by the information processing apparatus upon detecting an action of the information processing apparatus to request access to the destination specified in the second connection information until detection of an action of the information processing apparatus Storing the request for access to the destination specified by the first connection information in the storage device, and further including the step of sending the log information to the connection information collection server when it is determined that the first connection information in the predetermined area does not match the second connection information are identical. The access control program according to any one of claims 11 to 14, further comprising the step of recognizing an action for selecting an indication of the second connection information included in an e-mail which the information processing apparatus has received before the information processing apparatus receives the e-mail contains the first connection information so as to detect the action of the computer requesting access to the destination specified in the second connection information.

Images